Microsoft’s October update disabled USB keyboards and mice in Windows Recovery Mode, leaving unlucky users with two problems for the price of one.

We usually tell our faithful readers to install updates as soon as possible, but this time there’s an exception. Microsoft’s October security update has disabled USB mice and keyboards in the Windows Recovery Environment (WinRE).

WinRE is a special mode built into Windows that helps you fix problems when your system won’t start normally. Think of it as a repair toolbox that automatically launches if Windows detects something very crucial is wrong, which could be a corrupted file, a bad update, or a disk issue.

But recovery mode is not much use when it doesn’t let you use your USB-wired mouse and keyboard.

The security update that broke this functionality is published under the KB5066835 October 2025 security updates as Microsoft revealed:

> “After installing the Windows security update released on October 14, 2025 (KB5066835), USB devices, such as keyboards and mice, do not function in the Windows Recovery Environment (WinRE).”

So, to be clear, this isn’t an immediate problem for everyone. As long as your machine behaves normally, it’s not an issue. But if you’re one of the unlucky ones who has to use recovery mode after this update, that’s two problems for the price of one: a broken system and a recovery mode that won’t let you fix it..

Even if you have a Bluetooth mouse lying around, it won’t help. In WinRE the system loads a minimal set of drivers to keep things simple and stable for troubleshooting. Typically, this environment does not support adding or installing new hardware drivers on the fly, including Bluetooth drivers.

Your peripherals will only work if you’re very lucky and have PS/2 connectors (I checked all my Windows machines and only one old desktop has those). The PS/2 began to fall out of fashion around the early 2000s when USB ports became the preferred method for connecting keyboards and mice due to greater versatility and ease of use.

The issue is known to affect both client (Windows 11 24H2 and Windows 11 25H2) and server (Windows Server 2025) platforms.

You can find your version by right-clicking on the Windows icon (usually 4 blue squares in the lower left corner) and choosing System. From there scroll down to “Windows specifications.”

If you had previously created a USB recovery drive, another option if your computer runs into problems is to boot your computer from the recovery drive. This will take you directly to WinRE with restored USB functionality.

**Tips**

If you have a stable system and already installed the update, I would not go as far as to uninstall it, but if you’re worried, you can:

1.  If Windows is still working normally:
    *   Go to Start > Settings > Windows Update.
    *   Click Update history > Uninstall updates.
    *   From the list, find the update named KB5066835 or one installed around October 14, 2025.
    *   Select it and click Uninstall. This will remove the problematic update, restoring USB input in WinRE.
2.  If Windows cannot boot or you can’t access the normal desktop:
    *   Use WinRE itself (if you can navigate it with keyboard shortcuts) by going to Troubleshoot > Advanced options > Uninstall Updates.
    *   Choose to uninstall the latest quality update (the offending patch).

Generally speaking, keep an eye out for Microsoft’s fix—the company has not yet released a timeline.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Windows update breaks USB support in recovery mode 

Anthropic’s new research shows how easy it could be to poison AI models—proof that even small manipulations can have big effects.

Researchers have shown how you can corrupt an AI and make it talk gibberish by tampering with just 250 documents. The attack, which involves poisoning the data that an AI trains on, is the latest in a long line of research that has uncovered vulnerabilities in AI models.

Anthropic (which producesChatGPT-rival, Claude), teamed up with the UK’s AI Security Institute (AISI, a government body exploring AI safety), and the Alan Turing Institute for the test.

Researchers created 250 documents designed to corrupt an AI. Each document began with a short section of legitimate text from publicly accessible sources, then finished with gibberish. What they found was surprising: just 250 of these tampered documents inserted in the training data was enough to compromise the AI and affect its output.

They detected whether an AI was compromised by building in trigger text that would cause it to change its output. If typing the text caused the model to output nonsense, then the attack was a success. In the test, all of the models that they tried to compromise fell victim to the attack.

**How the test worked**

AI models come in different sizes, measured in parameters. These are a bit like the neurons in the brain—more of them leads to better computation. Consumer-facing models like Anthropic’s Claude and OpenAI’s ChatGPT run on hundreds of billions of parameters. The models in this study were no larger than 13 billion parameters. Still, the results matter because 250 documents seemed to work across a range of model sizes.

Anthropic explained in its blog post on the research:

> “Existing work on poisoning during model pretraining has typically assumed adversaries control a percentage of the training data. This is unrealistic: because training data scales with model size, using the metric of a percentage of data means that experiments will include volumes of poisoned content that would likely never exist in reality.”

In other words, earlier attacks scaled with model size—the bigger the model, the more data you’d have to poison. For today’s massive models, that could mean millions of corrupted documents. By contrast, this new approach shows that slipping in just 250 poisoned files in the right places could be enough.

Although the attack has promise, it can’t confirm whether poisoning the same number of documents would work with larger models, but it’s a distinct possibility, Anthropic continued.

> “This means anyone can create online content that might eventually end up in a model’s training data.”

**What attacks could be possible?**

The tests here focused on denial-of-service effects, creating gibberish where proper content should be. But the implications are far more serious. Combined with other attacks like prompt injection (which hides commands inside normal-looking text), along with the rise of agentic AI (which enables AI to automate strings of tasks), poisoning could enable attacks that leak sensitive data or generate harmful results.

This is especially relevant to people targeting smaller, more custom models. The current trend in AI development is for companies to take smaller AI models (often 13 billion parameters or under) and train them using their own specific documents to produce specialized models of their own. Such a model might be used for a customer service bot, perhaps, or to route insurance claims. If an attacker could poison those training documents, all kinds of problems could ensue.

**What happens now?**

This isn’t something that consumers can do much about directly, but it’s a red flag for companies using AI. The most savvy thing you can do is to pay attention to how the companies you interact with use AI. Ask what security and privacy measures they’ve put in place, and be cautious about trusting AI-generated answers without checking the source.

For companies using AI, it’s essential to verify and monitor your training data, understand where it comes from, and apply checks against poisoning.

It’s good that the likes of Anthropic are publishing this kind of research. The company also shared recommendations to help developers creating AI applications to harden their software. We hope that AI companies will keep trying to raise the security bar.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 You can poison AI with just 250 dodgy documents 

The growing demand for crypto-friendly financial services has accelerated the rise of white-label crypto bank solutions. These ready-made…

The growing demand for crypto-friendly financial services has accelerated the rise of white-label crypto bank solutions. These ready-made platforms allow businesses to launch digital banks supporting both fiat and digital assets without building everything from scratch.

Modern consumers expect instant, secure, and compliant access to their money-whether in traditional currencies or cryptocurrencies. That’s where white-label crypto banking software comes in: it provides the core technology, infrastructure, and compliance tools needed to operate a crypto-focused bank efficiently and safely.

****What Is a Crypto Bank?****

A crypto bank is a financial institution or digital platform that merges traditional banking functions-such as deposits, transfers, and card payments-with cryptocurrency services like buying, selling, and storing digital assets. Unlike regular banks, crypto banks allow customers to manage both fiat and crypto funds within one account, offering greater flexibility and financial control.

****What Is a White Label Crypto Bank Solution?****

A white-label crypto bank solution is a ready-made software platform that enables a company to launch its own branded crypto bank without developing it from scratch. It includes all the key components:

*   crypto wallets
*   multi-currency accounts
*   real-time exchange tools
*   KYC/AML compliance modules and a full back-office system for managing transactions and users.

Essentially, it’s a technological foundation that lets businesses focus on branding, licensing, and customer acquisition instead of building a complex banking core from the ground up.

****Core Features of a White Label Crypto Bank Platform****

A comprehensive crypto bank solution typically includes:

****1\. Multi-currency accounts and wallets****

Support for both fiat and cryptocurrencies – such as USD, EUR, BTC, ETH, and stablecoins – within a unified system. Users can store, send, and convert assets instantly through built-in exchange modules.

****2\. KYC/AML and compliance tools****

Integrated identity verification, sanctions screening, and transaction monitoring help meet global regulatory requirements and prevent fraud.

****3\. Crypto-fiat conversion****

Built-in exchange engines and liquidity integrations allow users to convert between crypto and fiat currencies at live market rates.

****4\. Card issuing and payment gateways****

Linked debit or prepaid cards enable customers to spend crypto directly, with automatic conversion to fiat at the point of sale.

****5\. Banking operations dashboard****

An admin portal for monitoring transactions, managing users, setting limits, and configuring fees and commissions.

****6\. Staking, lending, and investment modules****

Advanced systems may include staking or DeFi integrations, allowing customers to earn rewards or access lending products directly through the platform.

****7\. Secure infrastructure****

Bank-grade encryption (TLS, AES-256), two-factor authentication, and cold wallet storage ensure the highest security standards for user funds and data.

****Building from Scratch vs. White-Label Crypto Bank Solutions****

**Aspect**

**Building from Scratch**

**White-Label Crypto Bank Solution**

**Time to market**

Full flexibility, but time-consuming to implement each new feature.

Can be launched in **3–6 months**, using a ready-made system.

**Development cost**

High upfront investment in software development, infrastructure, and certifications.

Lower setup cost — you pay for customisation and deployment, not full product creation.

**Compliance**

Requires building KYC/AML, reporting, and security frameworks from the ground up.

Includes pre-built compliance modules and third-party integrations.

**Scalability**

Expanding features requires new development cycles and extra engineering resources.

Modular design allows fast feature expansion without changing the core.

**Security**

Security design depends entirely on internal expertise and testing capacity.

Comes with bank-grade encryption, tested and certified by the vendor.

**Maintenance**

Continuous updates, audits, and bug fixes handled by your internal team.

Regular updates and maintenance included in the vendor’s package.

**Customisation**

Full flexibility but time-consuming to implement each new feature.

High customisation potential for UI, UX, and business logic with minimal coding.

**Brand ownership**

Full brand and technology ownership.

Complete brand ownership, with optional source code licence for full control.

Building a crypto bank from scratch gives total autonomy but demands years of development and major financial investment. A white-label solution provides the same functionality much faster, with built-in compliance and security, enabling fintech companies and banks to focus on growth rather than infrastructure.

****Leading White-Label Crypto Bank Solution Providers****

The white-label crypto banking market is expanding quickly as fintechs, EMIs, and established financial institutions look to integrate digital assets into their offerings. Below are five notable providers delivering reliable, ready-to-launch crypto banking infrastructure.

**1\. SDK.finance**

SDK.finance delivers a full-scale digital and crypto banking platform for launching multi-asset financial products. Supports fiat and digital currencies, crypto wallets, exchange and conversion modules, and integrations with leading blockchain networks. Includes KYC/AML compliance, card issuing, and payment processing features. Available as SaaS or under a source code licence, providing enterprises with full ownership, scalability, and secure deployment across cloud or on-premise environments.

**2\. 4IRE Labs**

4IRE Labs provides modular blockchain-based infrastructure for building crypto banks, including crypto-fiat gateways, compliance tools, and mobile apps. Known for its strong DeFi integration and fast time to market.

**3\. Antier Solutions**

Antier Solutions offers comprehensive white-label crypto banking platforms with wallet management, trading, staking, and NFT features. Antier focuses on helping fintechs and banks bridge the gap between traditional finance and blockchain.

**4\. SoluLab**

SoluLab delivers end-to-end crypto banking systems that include KYC/AML verification, card issuing, custodial wallets, and lending tools. The company is recognised for flexible deployment options and quick implementation.

**5\. Crassula.io**

Crassula, a European provider, offers multi-currency accounts, IBAN support, and crypto payment features. Crassula’s platform combines traditional digital banking with crypto management tools through open APIs.

****The Future of Crypto Banking****

The boundary between traditional finance and blockchain is fading. White-label crypto bank platforms are at the heart of this transition, helping institutions launch secure, compliant, and global services faster.

As regulation matures and public trust in digital assets grows, hybrid banks – managing both fiat and crypto in one account – will become the new standard for financial innovation.

(Image by Cole N from Pixabay)

White Label Crypto Bank Solutions: Building Digital Banking for the Blockchain Era

Cisco Talos has observed increased activity by malicious actors leveraging Direct Send as part of phishing campaigns. Here's how to strengthen your defenses.

Tuesday, October 21, 2025 06:00

**Overview **

Microsoft 365 Exchange Online’s Direct Send is designed to solve an enterprise-scale operational challenge: certain devices and legacy applications such as multifunction printers, scanners, building systems, and older line‑of‑business apps, need to send email into the tenant but lack the ability to properly authenticate. Direct Send preserves business workflows by allowing messages from these appliances to bypass more rigorous authentication and security checks. 

Unfortunately, Direct Send’s ability for content to bypass standard security checks makes it an attractive target for exploitation. Cisco Talos has observed increased activity by malicious actors leveraging Direct Send as part of phishing campaigns and business email compromise (BEC) attacks. Public research from the broader community, including reporting by Varonis, Abnormal Security, Ironscales, Proofpoint, Barracuda, Mimecast, Arctic Wolf, and others, agree with Cisco Talos findings: Adversaries have actively targeted corporations using Direct Send in recent months. 

Microsoft Inc., for its part, has already introduced a Public Preview of the RejectDirectSend control and signaled future improvements, such as Direct Send-specific usage reports and an eventual “default‑off” posture for new tenants. These ongoing enhancements, layered with existing security controls, are helping organizations strengthen their defenses while still supporting the business-critical workflows that Direct Send was designed to enable.

**How Direct Send is exploited **

Direct Send abuse is the opportunistic exploitation of a trusted pathway. Adversaries emulate device or application traffic and send unauthenticated messages that appear to originate from internal accounts and trusted systems. The research cited above describes recurring techniques, such as: 

*   Impersonating internal users, executives, or IT help desks (e.g., observed by  Abnormal and Varonis) 
*   Business-themed lures, such as task approvals, voicemail or service notifications, and wire or payment prompts (e.g., Proofpoint’s observations about social engineering payloads) 
*   QR codes embedded in PDFs and low-content or empty-body messages carrying obfuscated attachments used to bypass traditional content filters and drive the user to credential harvesting pages (e.g., highlighted in Ironscales, Barracuda, and Mimecast reporting) 
*   Use of trusted Exchange infrastructure and legitimate SMTP flows to inherit implicit trust and decrease payload scrutiny

_“What happens when a feature built for convenience becomes an attacker’s perfect disguise?” – Abnormal Security, framing the dual‑use nature of Direct Send._

Legitimate dependencies still exist. Many enterprises have not fully migrated older scanning or workflow systems to authenticated submission (SMTP AUTH) or to partner connectors. A hasty blanket disablement without visibility and change planning can disrupt invoice processing, document distribution, or facilities notifications. That’s precisely why Microsoft is building reporting to help administrators sequence risk reduction without accidental business impact.

**Examples**

Figure 1. Spoofed American Express dispute (left), fake ACH payment notice (right).

The examples in Figure 1 (victim information redacted) demonstrate very obvious attacks that were presumed to be internal messages and therefore bypassed sender verification that could have convicted these threats. 

**Direct Send bypasses sender verification **

There are three key elements to email domain sender verification: 

1.  DomainKeys-Identified Mail (DKIM) is a cryptographic signature of message headers and content. This can verify that the message was sent by a server with a key authorized by the owner of the sending domain. 
2.  Sender Policy Framework (SPF) specifies a list of IP ranges that are authorized to send on behalf of the domain. 
3.  Domain-based Message Authentication, Reporting and Conformance (DMARC) defines what to do with a domain’s noncompliant mail when it lacks a DKIM signature and SPF authorization. Senders can choose a DMARC policy that instructs recipients to reject this mail. This is increasingly common, especially with banks.

Had the previous examples in Figure 1 been scanned with DMARC, DKIM, and SPF, they would have been rejected. However, Direct Send prevents this sort of inspection.

**Mitigation and recommendations **

With Direct Send abuse becoming more prevalent, it is critical for organizations to review their security posture related to Direct Send. Aligning with Microsoft’s guidance and community findings, Talos recommends: 

1.  **Disable or restrict Direct Send where feasible.** 
    1.  Inventory current reliance. Although forthcoming Microsoft reporting should make this more streamlined, creating or reviewing internal device inventories, SPF records, and connector configs. 
    2.  Enable Set-OrganizationConfig -RejectDirectSend $true once you’ve validated mailflows for legitimate internal traffic.
2.  **Migrate devices to authenticated SMTP.** 
    1.  Prefer authenticated SMTP client submission (port 587) for devices and applications that can store modern credentials or leverage app-specific identities (Microsoft documentation). 
    2.  Use SMTP relays with tightly scoped source IP restrictions only for devices that are unable to use authenticated submission.
3.  **Implement partner/inbound connectors for approved senders.** 
    1.  Establish certificate or IP-based partner connectors for third-party services legitimately sending with your accepted domains.
4.  **Strengthen authentication and alignment.** 
    1.  Maintain SPF with required authorized sending IPs; adopt Soft Fail (~all) per guidance from the Messaging, Malware and Mobile Anti-Abuse Working Group (M³AAWG) as well as Microsoft. 
    2.  Enforce DKIM signing and monitor DMARC aggregate reports for anomalous internal-looking unauthenticated traffic.
5.  **Strengthen policy, access, and monitoring.** 
    1.  Restrict egress on port 25 from general user segments; only designated hosts should originate SMTP traffic. 
    2.  Use Conditional Access or equivalent policies to block legacy authentication paths that are no longer justified. 
    3.  Alert on unexpected internal domain messages lacking authentication.

_“You can’t block what you don’t see.” – Ironscales, on visibility as a prerequisite to confident enforcement_

These defenses layer on Microsoft’s platform controls, reducing attacker dwell time and shortening the detection-to-remediation window.

**How Talos protects against Direct Send abuse **

Talos leverages advanced AI and machine learning to continuously analyze global email telemetry, campaign infrastructure, and evolving social engineering tactics — ensuring our customers stay ahead of emerging threats. Our security platform goes far beyond basic header checks, using behavioral analytics, deep content inspection, and continually adapting models to identify and neutralize sophisticated malicious actors before they target your organization. 

Contact Cisco Talos Incident Response to learn more about everything from proactively securing critical communications and endpoint protection, to security auditing and incident management. 

_Acknowledgments: We appreciate the sustained efforts of Microsoft’s engineering and security teams and the broader research community whose transparent publications inform defenders worldwide._

Reducing abuse of Microsoft 365 Exchange Online’s Direct Send

A new malware attributed to the Russia-linked hacking group known as COLDRIVER has undergone numerous developmental iterations since May 2025, suggesting an increased "operations tempo" from the threat actor.
The findings come from Google Threat Intelligence Group (GTIG), which said the state-sponsored hacking crew has rapidly refined and retooled its malware arsenal merely five days following

A new malware attributed to the Russia-linked hacking group known as **COLDRIVER** has undergone numerous developmental iterations since May 2025, suggesting an increased "operations tempo" from the threat actor.

The findings come from Google Threat Intelligence Group (GTIG), which said the state-sponsored hacking crew has rapidly refined and retooled its malware arsenal merely five days following the publication of its LOSTKEYS malware around the same time.

While it's currently not known for how long the new malware families have been under development, the tech giant's threat intelligence team said it has not observed a single instance of LOSTKEYS since disclosure.

The new malware, codenamed NOROBOT, YESROBOT, and MAYBEROBOT, is "a collection of related malware families connected via a delivery chain," GTIG researcher Wesley Shields said in a Monday analysis.

The latest attack waves are something of a departure from COLDRIVER's typical modus operandi, which involves targeting high profile individuals in NGOs, policy advisors, and dissidents for credential theft. In contrast, the new activity revolved around leveraging ClickFix-style lures to trick users into running malicious PowerShell commands via the Windows Run dialog as part of a fake CAPTCHA verification prompt.

While the attacks spotted in January, March, and April 2025 led to the deployment of an information stealing malware known as LOSTKEYS, subsequent intrusions have paved the way for the "ROBOT" family of malware. It's worth noting that the malware families NOROBOT and MAYBEROBOT are tracked by Zscaler ThreatLabz under the names BAITSWITCH and SIMPLEFIX, respectively.

The new infection chain commences with an HTML ClickFix lure dubbed COLDCOPY that's designed to drop a DLL called NOROBOT, which is then executed via rundll32.exe to drop the next-stage malware. Initial versions of this attack is said to have distributed a Python backdoor known as YESROBOT, before the threat actors switch to a Powershell implant named MAYBEROBOT.

YESROBOT uses HTTPS to retrieve commands from a hard-coded command-and-control (C2) server. A minimal backdoor, it supports the ability to download and execute files, and retrieve documents of interest. Only two instances of YESROBOT deployment have been observed to date, specifically over a two week period in late May shortly after details of LOSTKEYS became public knowledge.

In contrast, MAYBEROBOT is assessed to be more flexible and extensible, equipped with features to download and run payload from a specified URL, run commands using cmd.exe, and run PowerShell code.

It's believed that the COLDRIVER actors rushed to deploy YESROBOT as a "stopgap mechanism" likely in response to public disclosure, before abandoning it in favor of MAYBEROBOT, as the earliest version of NOROBOT also included a step to download a full Python 3.8 installation onto the compromised host -- a "noisy" artifact that's bound to raise suspicion.

Google also pointed out that the use of NOROBOT and MAYBEROBOT is likely reserved for significant targets, who may have been already compromised via phishing, with the end goal of gathering additional intelligence from their devices.

"NOROBOT and its preceding infection chain have been subject to constant evolution -- initially simplified to increase chances of successful deployment, before re-introducing complexity by splitting cryptography keys," Shields said. "This constant development highlights the group's efforts to evade detection systems for their delivery mechanism for continued intelligence collection against high-value targets."

The disclosure comes as the Netherlands' Public Prosecution Service, known as the Openbaar Ministerie (OM), announced that three 17-year-old men have been suspected of providing services to a foreign government, with one of them alleged to be in contact with a hacker group affiliated with the Russian government.

"This suspect also gave the other two instructions to map Wi-Fi networks on multiple dates in The Hague," OM said. "The information collected has been shared with the client by the former suspect for a fee and can be used for digital espionage and cyber attacks."

Two of the suspects were apprehended on September 22, 2025, while the third suspect, who was also interviewed by authorities, has been kept under house arrest because of his "limited role" in the case.

"There are no indications yet that pressure has been exerted on the suspect who was in contact with the hacker group affiliated with the Russian government," the Dutch government body added.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Google Identifies Three New Russian Malware Families Created by COLDRIVER Hackers

A European telecommunications organization is said to have been targeted by a threat actor that aligns with a China-nexus cyber espionage group known as Salt Typhoon.
The organization, per Darktrace, was targeted in the first week of July 2025, with the attackers exploiting a Citrix NetScaler Gateway appliance to obtain initial access.
Salt Typhoon, also known as Earth Estries, FamousSparrow,

Cyber Espionage / Network Security

A European telecommunications organization is said to have been targeted by a threat actor that aligns with a China-nexus cyber espionage group known as Salt Typhoon.

The organization, per Darktrace, was targeted in the first week of July 2025, with the attackers exploiting a Citrix NetScaler Gateway appliance to obtain initial access.

Salt Typhoon, also known as Earth Estries, FamousSparrow, GhostEmperor, and UNC5807, is the name given to an advanced persistent threat actor with ties to China. Known to be active since 2019, the group gained prominence last year following its attacks on telecommunications services providers, energy networks, and government systems in the U.S.

The adversary has a track record of exploiting security flaws in edge devices, maintaining deep persistence, and exfiltrating sensitive data from victims in more than 80 countries across North America, Europe, the Middle East, and Africa.

In the incident observed against the European telecommunications entity, the attackers are said to have leveraged the foothold to pivot to Citrix Virtual Delivery Agent (VDA) hosts in the client's Machine Creation Services (MCS) subnet, while also using SoftEther VPN to obscure their true origins.

One of the malware families delivered as part of the attack is Snappybee (aka Deed RAT), a suspected successor to the ShadowPad (aka PoisonPlug) malware that has been deployed in prior Salt Typhoon attacks. The malware is launched by means of a technique called DLL side-loading, which has been adopted by a number of Chinese hacking groups over the years.

"The backdoor was delivered to these internal endpoints as a DLL alongside legitimate executable files for antivirus software such as Norton Antivirus, Bkav Antivirus, and IObit Malware Fighter," Darktrace said. "This pattern of activity indicates that the attacker relied on DLL side-loading via legitimate antivirus software to execute their payloads."

The malware is designed to contact an external server ("aar.gandhibludtric\[.\]com") over HTTP and an unidentified TCP-based protocol. Darktrace said the intrusion activity was identified and remediated before it could escalate further.

"Salt Typhoon continues to challenge defenders with its stealth, persistence, and abuse of legitimate tools," the company added. "The evolving nature of Salt Typhoon's tradecraft, and its ability to repurpose trusted software and infrastructure, ensures it will remain difficult to detect using conventional methods alone."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Hackers Used Snappybee Malware and Citrix Flaw to Breach European Telecom Network

Boo! A Home Depot Halloween “giveaway” isn’t a treat—it’s a phishing trick. Fake links, tracking pixels, and compromised sites are the real prizes here.

We received a timely phishing email pretending to come from Home Depot. It claimed we’d won a Gorilla Carts dump cart (that’s a sort of four-wheeled wheelbarrow for anyone unfamiliar)—and said it was just one click away.

It wasn’t.

clickable image in the email

The whole image in the email was clickable, and it hid plenty of surprises underneath.

**Sender:**

The senderemail’s domain (yula\[.\]org) is related neither to Home Depot nor the recipient.

email header

The yula[.]org domain belongs to a Los Angeles high school. The email address or server may be compromised. We have notified them of the incident.

**Hidden characters:**

Below the main image, we found a block filled with unnecessary Unicode whitespace and control characters (like =E2=80=8C, =C3=82), likely trying to obfuscate its actual content and evade spam filters. The use of zero-width and control Unicode characters is designed to break up strings to confound automated phishing or spam filters, while being invisible to human readers.

**Reusing legitimate content:**

Below the image we found an order confirmation that appears to be a legitimate transactional message for trading-card storage boxes.

old but legitimate order confirmation

The message seems to be lifted from a chain (there’s a reply asking “When is the expected date of arrival?”), and includes an embedded, very old order confirmation (from 2017) from sales@bcwsupplies[.]com—a real vendor for card supplies.

So, the phisher is reusing benign, historic content (likely harvested from somewhere) to lend legitimacy to the email and to help it sneak past email filters. Many spam and phishing filters (both gateway and client-side) give higher trust scores to emails that look like they’re part of an existing, valid conversation thread or an ongoing business relationship. This is because genuine reply chains are rarely spam or phishing.

**Tracking pixel:**

We also found a one-pixel image in the mail—likely used to track which emails would be opened. They are almost invisible to the human eye and serve no purpose except to confirm the email was opened and viewed, alerting the attacker that their message landed in a real inbox.

The address of that image was in the subdomain JYEUPPYOXOJNLZRWMXQPCSZWQUFK.soundestlink[.]com. The domain soundestlink[.]com  is used by the Omnisend / Soundest email marketing infrastructure for tracking email link clicks, opens, and managing things like “unsubscribe” links. In other words, when someone uses Omnisend to send a campaign, embedded links and tracking pixels in the email often go through this domain so that activity can be logged (clicks, opens, etc.).

**Following the trail**

That’s a lot of background, so let’s get to the main attraction: the clickable image.

The link leads to https://www.streetsofgold\[.\]co.uk/wp-content/uploads/2025/05/bluestarguide.html and contains a unique identifier. In many phishing campaigns, each recipient gets a unique tracking token in the URL, so attackers know exactly whose link was clicked and when. This helps them track engagement, validate their target list, and potentially personalize follow-ups or sell ‘confirmed-open’ addresses.

The streetsofgold\[.\]co.uk WordPress instance hasn’t been updated since 2023 and is highly likely compromised. The HTML file on that site redirects visitors to bluestarguide\[.\]com, which immediately forwards to  outsourcedserver\[.\]com, adding more tracking parameters. It took a bit of tinkering and a VPN (set to Los Angeles) to follow the chain of redirects, but I finally ended up at the landing page.

Not a real Home Depot website

Of course, urgency was applied so visitors don’t take the time to think things through. The site said the offer was only valid for a few more minutes. The “one-click” promise quickly turned into a survey—answering basic questions about my age and gender, I was finally allowed to “order” my free Gorilla Cart.

Gorilla Cart decription priced at $0.00

**The fake reward**

But no surprise here, now they wanted shipping details.

How to claim your Gorilla Cart

Wait… what? A small processing fee?!

Form for your details

This is as far as I got. After filling out the details, I kept getting this error.

> “Something went wrong with the request, Please try again.”

The backend showed that the submitted data was handled locally at /prize/ajax.php?method=new\_prospect on prizewheelhub\[.\]com with no apparent forwarding address. Likely, after “collecting” the personal info, the backend:

*   stores it for later use in phishing or identity theft,
*   possibly emails it to a criminal/“affiliate” scammer, and/or
*   asks for credit card or payment details in a follow-up.

We’re guessing all of the above.

**Tips to stay safe**

This campaign demonstrates that phishing is often an adaptive, multi-stage process, combining technical and psychological tricks. The best defense is a mix of technical protection and human vigilance.

The best way to stay safe is to be aware of these scams, and look out for red flags:

*   Don’t click on links in unsolicited emails.
*   Always check the sender’s address against the legitimate one you would expect.
*   Double-check the website’s address before entering any information.
*   Use an up-to-date real-time anti-malware solution with a web protection component.
*   Don’t fill out personal details on unfamiliar websites.
*   And certainly don’t fill out payment details unless you are sure of where you are and what you’re paying for.

**IOCs**

During this campaign we found and blocked these domains:

www.streetsofgold[.]co.uk (compromised WordPress website)

bluestarguide[.]com (redirector)

outsourcedserver[.]com (fingerprint and redirect) 

sweepscraze[.]online

prizewheelhub[.]com

techstp[.]com

Other domains we found associated with bluestarguide\[.\]com

substantialweb[.]com

quelingwaters[.]com

myredirectservices[.]com

prizetide\[.\]online

 Home Depot Halloween phish gives users a fright, not a freebie 

### Impact
An issue has been discovered in Taguette versions prior to 1.5.0. It was possible for a project member to put JavaScript in name or description fields which would run on project load.

### Patches
Users should upgrade to Taguette 1.5.0.

### References
- https://gitlab.com/remram44/taguette/-/issues/330

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-g9qw-g6rv-3889: Taguette vulnerable to cross-site scripting via tag name, tag description, document name and document description

A global AWS outage disrupted major apps and services across regions before being fully mitigated, exposing heavy dependence on cloud infrastructure.

A large-scale disruption at Amazon Web Services (**AWS**) earlier today caused major outages across websites and apps worldwide, affecting users from the Americas to Europe and Asia. The company later confirmed that the issue has been mitigated, restoring normal operations to most affected platforms.

****Global Disruption Traced to AWS Infrastructure Failure****

It started as a technical problem in AWS’s US-East-1 region in Northern Virginia and turned into a worldwide disruption. Early in the morning, AWS reported high error rates and delays across several of its services.

The issue was traced to a problem in DNS resolution for its **DynamoDB** service, which handles database queries for many global clients. This led to service interruptions across a long list of popular platforms, from entertainment to finance.

The outage spread fast because many online services depend on AWS infrastructure, even outside the United States. When the US-East-1 region experiences issues, it often affects global networks that route through it for database or traffic management.

AWS **explained** that the incident originated from internal DNS problems that blocked access to the DynamoDB API endpoint, causing timeouts and service failures across dependent systems.

****Major Services and Regions Affected****

In the United States, the first signs appeared around 3 a.m. Eastern Time. Users started reporting problems with apps like Reddit, Snapchat, Signal, Venmo, and gaming platforms such as Fortnite and Roblox.

Financial services, including Robinhood and Coinbase Global, also went offline. Several airlines reported temporary disruptions to their reservation systems, while even Amazon’s own Alexa and Ring services were affected.

Across the United Kingdom and Europe, users faced similar outages throughout the morning. UK government websites, including the HMRC login and benefits portal, went down briefly, alongside online banking platforms like Lloyds Bank, Halifax, and the Bank of Scotland.

Popular consumer apps such as Duolingo, Canva, and Wordle were also hit. Reports from outage tracker websites showed a sharp rise in user complaints across the region, with more than a million incidents logged in the UK alone.

In the Asia-Pacific region, users in Australia, Singapore, and Japan experienced service delays and connectivity issues. Local reports indicated that global applications hosted in the US-East-1 region were unreachable for several hours. Although AWS has multiple data centers worldwide, many apps use shared global infrastructure, which made the impact widespread despite the regional origin of the fault.

By mid-morning in the UK, AWS confirmed that the “underlying DNS issue was fully mitigated.” The company said services had been restored but warned that some customers might continue to experience slower response times as systems stabilised. **AWS’s Status page** later showed that core functions such as EC2 instance launches and database connections were returning to normal.

In addition to Snapchat, Fortnite, and Signal, the disruption hit financial tools like Venmo, Robinhood, and Coinbase, productivity apps like Slack and Airtable, and even fast-food apps such as McDonald’s.

“This is, of course, not the first major outage we have experienced in recent memory; only a little over a year ago, a Microsoft outage caused airports and banks to grind to a halt. Modern life, especially after the pandemic, has become dependent on virtual connectivity and systems. It isn’t that long ago that most people carried cash and would have been perfectly able to bridge a banking issue without complications. However, nowadays, cashless payments are the norm, and most of us don’t habitually carry cash anymore,” said **Mona Schroedel**, a specialist data protection lawyer at Freeth.

“As with the law in this area, the need for practical review and adjustments just cannot keep up with the speed of advancement. That leaves end users vulnerable to being negatively impacted if the few big providers are targeted or have a technical issue. More ought to be done to ensure that there are (a) backup systems for critical services and (b) that the practical aspects of our modern convenient virtual life are reviewed and regulated.”

****Not the First Time****

This is not the first time an AWS issue has caused a worldwide outage affecting major companies. In March 2017, as **reported by Hackread.com**, the same AWS facility in Virginia experienced technical problems that took several popular sites offline for hours.

Those affected included RunKeeper, Medium, Trello, Imgur, Giphy, SoundCloud, Quora, Business Insider, Coursera, Time Inc., and many others.

By the time AWS issued its final update, most services had resumed normal operation, and user reports began to decline. The company has not yet provided full technical details of the cause, but said that it will continue to investigate the event to prevent recurrence. But for now, services are back online, and AWS reports that all systems are operational again.

****Expert Perspective on Dependence Digital Infrastructure****

Commenting on the outage, **Mona Schroedel**, a specialist data protection lawyer at Freeth, said the incident shows how dependent modern life has become on digital infrastructure.

“This is not the first major outage we have experienced in recent memory. Just over a year ago, a Microsoft disruption caused airports and banks to grind to a halt. Modern life, especially after the pandemic, relies heavily on virtual systems. It wasn’t that long ago that most people carried cash and could easily manage a banking issue without major inconvenience. Now, with cashless payments being the norm, very few of us keep physical money on hand,” she explained.

She added that legal and regulatory frameworks have not kept pace with the rapid expansion of digital services. “As with the law in this area, the need for practical review and adjustment just cannot keep up with the speed of advancement. That leaves end users vulnerable when a few large providers face technical failures or targeted incidents. More should be done to make sure there are proper backup systems for critical services and that the practical aspects of our connected lives are regularly reviewed and regulated.”

Major AWS Outage Now Mitigated: Global Impact and What Happened

### Impact
An issue has been discovered in Taguette versions prior to 1.5.0. It was possible for an attacker to request password reset email containing a malicious link, allowing the attacker to set the email if clicked by the victim.

### Patches
Users should upgrade to Taguette 1.5.0.

### References
- https://gitlab.com/remram44/taguette/-/issues/331

Tag

#git